46,189 questions
Hi @Jennifer Olsen ,
Azure DevOps is currently not supported in this Microsoft Q&A platform. You may ask Azure DevOps related questions in this developer community.
Signed ADO build Artifacts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 43%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
Jennifer Olsen
1
Reputation point
Our InfoSec team has asked us to show them how we are able to verify that the build artifacts deployed to a server target are the same build artifacts that were generated in our ADO pipelines, sent to Veracode (our code scanning service), approved in the ADO release process, and deployed through the ADO deployment agents.
The InfoSec team explains that ideally there would be a SHA hash on those artifacts that we could trace back through our process. Is this feasible with Azure DevOps out of the box? I cannot seem to find any Microsoft documentation regarding signed build artifacts that are created from within ADO. I have found that we could create a feed from another build service to pull the artifacts into ADO; however, we are using ADO pipelines to build our releases.